discourse/app/controllers/search_controller.rb
Ian Christian Myers 0d01c33482 Enabled strong_parameters across all models/controllers.
All models are now using ActiveModel::ForbiddenAttributesProtection, which shifts the responsibility for parameter whitelisting for mass-assignments from the model to the controller. attr_accessible has been disabled and removed as this functionality replaces that.

The require_parameters method in the ApplicationController has been removed in favor of strong_parameters' #require method.

It is important to note that there is still some refactoring required to get all parameters to pass through #require and #permit so that we can guarantee that parameter values are scalar. Currently strong_parameters, in most cases, is only being utilized to require parameters and to whitelist the few places that do mass-assignments.
2013-06-06 00:30:59 -07:00

39 lines
1.1 KiB
Ruby

require_dependency 'search'
class SearchController < ApplicationController
def self.valid_context_types
%w{user topic category}
end
def query
params.require(:term)
search_args = {guardian: guardian}
search_args[:type_filter] = params[:type_filter] if params[:type_filter].present?
search_context = params[:search_context]
if search_context.present?
raise Discourse::InvalidParameters.new(:search_context) unless SearchController.valid_context_types.include?(search_context[:type])
raise Discourse::InvalidParameters.new(:search_context) if search_context[:id].blank?
klass = search_context[:type].classify.constantize
# A user is found by username
context_obj = nil
if search_context[:type] == 'user'
context_obj = klass.where(username: params[:search_context][:id]).first
else
context_obj = klass.where(id: params[:search_context][:id]).first
end
guardian.ensure_can_see!(context_obj)
search_args[:search_context] = context_obj
end
search = Search.new(params[:term], search_args.symbolize_keys)
render_json_dump(search.execute.as_json)
end
end